Referral Program Consent Audit
Liability Check
Your referral program could be a massive DPDP liability. Collecting personal data (like phone numbers, emails) of non-users without their explicit consent for marketing or communication is a direct and serious violation.
Why Referral Program Consent Audit is at Risk
When your app or marketplace asks a user to 'refer a friend' by providing their contact details (like phone number or email), you're directly collecting **personal data** of a non-user. Under DPDP, this new person becomes a **Data Principal**, whose consent is mandatory for processing their data. Their consent cannot be implied or given by the referrer. Without explicit, informed consent from the referred individual, any subsequent processing – including sending an introductory message, common in apps from Flipkart to Swiggy – is a **legal violation** that can lead to heavy penalties for your business.
Common Violations
- 1.Collecting a non-user's phone number or email through a referral program without their direct, explicit consent.
- 2.Sending introductory emails or SMS to referred individuals without first obtaining their consent for that specific communication.
- 3.Failing to provide the referred individual with information about how their data was obtained and how it will be processed (e.g., source of data, purpose).
The Immediate Fix
Audit your referral flow immediately. Revamp it to either empower users to share unique referral links (avoiding direct collection of third-party data) or ensure an immediate, explicit consent mechanism is in place for the *referred individual* before any data processing or communication occurs. This could mean a double opt-in.
Get DPDP Updates for Referral Program Consent Audit
We'll send you compliance alerts and deadline reminders specific to your area. No spam — unsubscribe anytime.
Projected Compliance Deadline: Immediate